I'm in the process of architecting a new infrastructure for my present
employer. The goal is to develop a system topology that will provide a
highly scalable and secure environment in which to implement our customers

web applications. An environment that a "best practices" development
methodology can be applied against... so to speak.

My issue is security in the context of user authentication and session state
management.

Overview

We are a Microsoft Windows 2000 shop. Active Directory is run in Native
Mode, we have multiple web servers and sites, dynamic load balancing
through Cisco devices, a clustered Middle Tier (Application) with
Windows 2000 Advanced Server, and an Active/Active SQL 2000 Cluster.

The operating environment is as follows; Multiple web sites (IIS 5.0)
developed with ASP, XSL/XML, COM+, SQL Stored Procedures.

The Development Objective is as follows; Take advantage of Windows 2000
security within Active Directory, assign Roles to the COM+ components,
assign Roles to the SQL 2000 Database-Tables, create 4 generic global
groups-accounts, assign the groups to COM+ Roles according to the level
of security required per component, assign SQL Roles as required to map
the required levels of security to the Database Tables.

Issue; How to effectively develop and implement security within this
context. Each COM+ component is dispatched for specific functions, COM+
components are called within the security context of the identity of the
Roles assigned to them, the IUSR account functions in a standard format,
running under the identity of Anonymous, the identity will change when
the user has been authenticated with their registered account within the
database, and be allowed to perform specific functions on the public
site.

Functions can be broken down into Site Administrators, Registered
Users/Buyers, Advertisers. The IUSR/Anonymous account is allowed to
browse the site but is unable to initiate any registered user,
advertiser, or site admin functions without having changed their
identity which is associated with the COM+ Roles after they have been
authenticated through Application Level Logon.

Granular Access Control is required to the individual registered users,
site administrators, and advertisers, to ensure the individual cannot
gain access to other secure functions in which the COM+ Roles allow
(through Database Tables). The Individual Access would be controlled
through individual accounts/roles within the SQL Database, the Database
Accounts Table would be marked by Site Admins, Registered Users, and
Advertisers. The IUSR/Anonymous account maintains its session state
within a Table.

We are trying to resolve security and scalability issues by finding a
solution which allows us to identify individual users within the
database, requiring them to be authenticated before being allowed to
perform functions that would be restricted to the IUSR/Anonymous account
that is used to browse the public site. Once the account is validated
within the database and corresponding member table it would inherit the
permissions from the account/group within the SQL Role assigned to the
Table, be validated at the Domain Controller, and if validated, receive a

Kerberos ticket-key which corresponds to its generic security group, and
be allowed access to the COM+ component that maps to the Group-Account assigned
to the COM+ component.

(It maps to the SQL-Table Role and COM+ Role, mapping the account,
component, and database-table permissions through active directory and
having a ticket lifetime assigned).

We are trying to establish the security by controlling individual
account administration at the Database level and N-Tier security and
validation by mapping COM+ Roles to SQL Roles using SQL-Windows
Authentication, OLEDB Trusted Connection string, and COM+ Role Based
security.

The concept is to use Delegation to bypass security checks once the
Database role/account is Validated and the COM+ functions are checked, based
on the user session Ticket.

The issue we have is in trying to establish security based on initial
validation with the SQL Database, then passing the security context
assigned to the SQL Table - Role through to the COM+ component and
controlling the session security.

Thanks for your time,

Chris